You can use the Jython scripting language to configure the security auditing system with the wsadmin tool. Use the commands and parameters in the AuditFilterCommands group to configure and manage auditable events.
The convertFilterRefToString command converts a reference ID of a filter to a shortened string value such as AUTHN:SUCCESS.
Target object
None.
Required parameters
Return value
AUTHN:SUCCESS,AUTHN:INFO,AUTHZ:SUCCESS,AUTHZ:INFO
Batch mode example usage
AdminTask.convertFilterRefToString('-filterRef AuditSpecification_1184598886859')
AdminTask.convertFilterRefToString(['-filterRef', 'AuditSpecification_1184598886859'])
Interactive mode example usage
AdminTask.convertFilterRefToString('-interactive')
The convertFilterStringToRef command converts the shortened name of an event type, such as AUTHN:SUCCESS, to the reference ID of the audit filter in the audit.xml configuration file.
The command accepts one event and outcome pair. The command does not accept multiple event and outcome pairs, such as AUTHN:SUCCESS AUTHZ:SUCCESS.
Target object
None.
Required parameters
Return value
AuditSpecification_1173199825608
Batch mode example usage
AdminTask.convertFilterStringToRef('-filter AUTHN:SUCCESS')
AdminTask.convertFilterStringToRef(['-filter', 'AUTHN:SUCCESS'])
Interactive mode example usage
AdminTask.convertFilterStringToRef('-interactive')
The createAuditFilter command creates and enables a new audit event filter specification entry in the audit.xml configuration file.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Event name | Description |
---|---|
SECURITY_AUTHN | Audits all authentication events |
SECURITY_AUTHN_MAPPING | Audits events that record mapping of credentials where two user identities are involved |
SECURITY_AUTHN_TERMINATE | Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out |
SECURITY_AUTHZ | Audits events related to authorization checks when the system enforces access control policies |
SECURITY_RUNTIME | Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types. |
SECURITY_MGMT_AUDIT | Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on. |
SECURITY_RESOURCE_ACCESS | Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table |
SECURITY_SIGNING | Audits events that record signing such as signing operations used to validate parts of a SOAP Message for web services |
SECURITY_ENCRYPTION | Audits events that record encryption information such as encryption for web services |
SECURITY_AUTHN_DELEGATION | Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session. |
SECURITY_AUTHN_CREDS_MODIFY | Audits events to modify credentials for a given user identity |
Return value
AuditSpecification_1184689433421
Batch mode example usage
AdminTask.createAuditFilter('-name myfilter -eventType "SECURITY_MGMT_PROVISIONING, SECURITY_MGMT_POLICY" -outcome SUCCESS')
AdminTask.createAuditFilter(['-name', 'myfilter', '-eventType', '"SECURITY_MGMT_PROVISIONING,', 'SECURITY_MGMT_POLICY"', '-outcome', 'SUCCESS'])
Interactive mode example usage
AdminTask.createAuditFilter('-interactive')
The deleteAuditFilter command deletes the audit event filter specification from the audit.xml file that the system references by an event type and outcome.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Event name | Description |
---|---|
SECURITY_AUTHN | Audits all authentication events |
SECURITY_AUTHN_MAPPING | Audits events that record mapping of credentials where two user identities are involved |
SECURITY_AUTHN_TERMINATE | Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out |
SECURITY_AUTHZ | Audits events related to authorization checks when the system enforces access control policies |
SECURITY_RUNTIME | Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types. |
SECURITY_MGMT_AUDIT | Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on. |
SECURITY_RESOURCE_ACCESS | Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table |
SECURITY_SIGNING | Audits events that record signing such as signing operations used to validate parts of a SOAP Message for web services |
SECURITY_ENCRYPTION | Audits events that record encryption information such as encryption for web services |
SECURITY_AUTHN_DELEGATION | Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session. |
SECURITY_AUTHN_CREDS_MODIFY | Audits events to modify credentials for a given user identity |
Return value
The command returns a value of true if the system successfully deletes the audit filter from your configuration.
Batch mode example usage
AdminTask.deleteAuditFilter('-eventType SECURITY_AUTHN –outcome SUCCESS')
AdminTask.deleteAuditFilter(['-eventType', 'SECURITY_AUTHN', '–outcome', 'SUCCESS'])
Interactive mode example usage
AdminTask.deleteAuditFilter('-interactive')
The deleteAuditFilterByRef command deletes the audit filter that the system references by the referenced id.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Return value
The command returns a value of true if the system successfully deletes the audit filter specification from the audit.xml file.
Batch mode example usage
AdminTask.deleteAuditFilterByRef('-filterRef AuditSpecification_1173199825608')
AdminTask.deleteAuditFilterByRef(['-filterRef', 'AuditSpecification_1173199825608'])
Interactive mode example usage
AdminTask.deleteAuditFilterByRef('-interactive')
The disableAuditFilter command disables the audit filter specification that corresponds to a specific reference id.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Return value
The command returns a value of true if the system successfully disables the audit filter.
Batch mode example usage
AdminTask.disableAuditFilter('-filterRef', 'AuditSpecification_1184689433421')
Interactive mode example usage
AdminTask.disableAuditFilter('-interactive')
The enableAuditFilter command enables the audit filter specification that corresponds to a specific reference id. Use this command to enable a filter that was previously configured and disabled in your security auditing system configuration. To create a new audit filter specification, use the creatAuditFilter command.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Return value
The command returns a value of true if the system successfully enables the audit filter.
Batch mode example usage
AdminTask.enableAuditFilter('-filterRef AuditSpecification_1184689433421')
AdminTask.enableAuditFilter(['-filterRef', 'AuditSpecification_1184689433421'])
Interactive mode example usage
AdminTask.enableAuditFilter('-interactive')
The getAuditFilter command retrieves the attributes that the system associates with the audit filter specification of interest.
The user must have the monitor administrative role to run this command.
Target object
None.
Required parameters
Return value
{{enabled true} {name DefaultAuditSpecification_1} {event SECURITY_AUTHN SECURITY_AUTHN_MAPPING} {outcome FAILURE} {_Websphere_Config_Data_Id cells/Node04Cell|audit.xml#AuditSpecification_1173199825608} {_Websphere_Config_Data_Type AuditSpecification}}
Batch mode example usage
AdminTask.getAuditFilter('-reference AuditSpecification_1173199825608')
AdminTask.getAuditFilter(['-reference', 'AuditSpecification_1173199825608'])
Interactive mode example usage
AdminTask.getAuditFilter('-interactive')
The getAuditOutcomes command retrieves a list of the enabled outcomes for the auditable event type of interest.
The user must have the monitor administrative role to run this command.
Target object
None.
Required parameters
Event name | Description |
---|---|
SECURITY_AUTHN | Audits all authentication events |
SECURITY_AUTHN_MAPPING | Audits events that record mapping of credentials where two user identities are involved |
SECURITY_AUTHN_TERMINATE | Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out |
SECURITY_AUTHZ | Audits events related to authorization checks when the system enforces access control policies |
SECURITY_RUNTIME | Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types. |
SECURITY_MGMT_AUDIT | Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on. |
SECURITY_RESOURCE_ACCESS | Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table |
SECURITY_SIGNING | Audits events that record signing such as signing operations used to validate parts of a SOAP Message for web services |
SECURITY_ENCRYPTION | Audits events that record encryption information such as encryption for web services |
SECURITY_AUTHN_DELEGATION | Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session. |
SECURITY_AUTHN_CREDS_MODIFY | Audits events to modify credentials for a given user identity |
Return value
SUCCESS
Batch mode example usage
AdminTask.getAuditOutcomes('-eventType SECURITY_MGMT_PROVISIONING')
AdminTask.getAuditOutcomes(['-eventType', 'SECURITY_MGMT_PROVISIONING'])
Interactive mode example usage
AdminTask.getAuditOutcomes('-interactive')
The getSupportedAuditEvents command returns a list of each supported auditable event.
The user must have the monitor administrative role to run this command.
Target object
None.
Return value
SECURITY_AUTHN_DELEGATION SECURITY_AUTHN_MAPPING SECURITY_AUTHN_TERMINATE SECURITY_AUTHZ SECURITY_ENCRYPTION SECURITY_MGMT_AUDIT SECURITY_MGMT_CONFIG SECURITY_MGMT_KEY SECURITY_MGMT_POLICY SECURITY_MGMT_PROVISIONING SECURITY_MGMT_REGISTRY SECURITY_MGMT_RESOURCE SECURITY_RESOURCE_ACCESS SECURITY_RUNTIME SECURITY_RUNTIME_KEY SECURITY_SIGNING
Batch mode example usage
AdminTask.getSupportedAuditEvents()
AdminTask.getSupportedAuditEvents()
Interactive mode example usage
AdminTask.getSupportedAuditEvents('-interactive')
The getSupportedAuditOutcomes command retrieves a list of each supported outcome for the auditable event filters.
The user must have the monitor administrative role to run this command.
Target object
None.
Return value
SUCCESS INFO WARNING ERROR DENIED REDIRECT FAILURE
Batch mode example usage
AdminTask.getSupportedAuditOutcomes()
AdminTask.getSupportedAuditOutcomes()
Interactive mode example usage
AdminTask.getSupportedAuditOutcomes('-interactive')
The isAuditFilterEnabled command determines if the audit filter of interest is enabled in the audit.xml configuration file.
The user must have the monitor administrative role to run this command.
Target object
None.
Required parameters
Event name | Description |
---|---|
SECURITY_AUTHN | Audits all authentication events |
SECURITY_AUTHN_MAPPING | Audits events that record mapping of credentials where two user identities are involved |
SECURITY_AUTHN_TERMINATE | Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out |
SECURITY_AUTHZ | Audits events related to authorization checks when the system enforces access control policies |
SECURITY_RUNTIME | Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types. |
SECURITY_MGMT_AUDIT | Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on. |
SECURITY_RESOURCE_ACCESS | Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table |
SECURITY_SIGNING | Audits events that record signing such as signing operations used to validate parts of a SOAP Message for web services |
SECURITY_ENCRYPTION | Audits events that record encryption information such as encryption for web services |
SECURITY_AUTHN_DELEGATION | Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session. |
SECURITY_AUTHN_CREDS_MODIFY | Audits events to modify credentials for a given user identity |
Return value
The command returns a value of true if the event type of interest is enabled in your configuration.
Batch mode example usage
AdminTask.isAuditFilterEnabled('-eventType SECURITY_MGMT_PROVISIONING -outcome SUCCESS')
AdminTask.isAuditFilterEnabled(['-eventType', 'SECURITY_MGMT_PROVISIONING', '-outcome', 'SUCCESS'])
Interactive mode example usage
AdminTask.isAuditFilterEnabled('-interactive')
The isEventEnabled command determines if the system enabled at least one audit outcome for the event of interest.
The user must have the monitor administrative role to run this command.
Target object
None.
Required parameters
Event name | Description |
---|---|
SECURITY_AUTHN | Audits all authentication events |
SECURITY_AUTHN_MAPPING | Audits events that record mapping of credentials where two user identities are involved |
SECURITY_AUTHN_TERMINATE | Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out |
SECURITY_AUTHZ | Audits events related to authorization checks when the system enforces access control policies |
SECURITY_RUNTIME | Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types. |
SECURITY_MGMT_AUDIT | Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on. |
SECURITY_RESOURCE_ACCESS | Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table |
SECURITY_SIGNING | Audits events that record signing such as signing operations used to validate parts of a SOAP Message for web services |
SECURITY_ENCRYPTION | Audits events that record encryption information such as encryption for web services |
SECURITY_AUTHN_DELEGATION | Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session. |
SECURITY_AUTHN_CREDS_MODIFY | Audits events to modify credentials for a given user identity |
Return value
The command returns a value of true if the audit filter of interest has at least one outcome configured in the audit.xml file.
Batch mode example usage
AdminTask.isEventEnabled('-eventType SECURITY_AUTHN')
AdminTask.isEventEnabled(['-eventType', 'SECURITY_AUTHN'])
Interactive mode example usage
AdminTask.isEventEnabled('-interactive')
The listAuditFilters command lists each audit filter and the corresponding attributes that the system defines in the audit.xml file.
The user must have the monitor administrative role to run this command.
Target object
None.
Return value
{{enabled true} {name DefaultAuditSpecification_1} {event SECURITY_AUTHN SECURITY_AUTHN_MAPPING} {outcome FAILURE} {_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1173199825608} {_Websphere_Config_Data_Type AuditSpecification} {filterRef AuditSpecification_1173199825608}} {{enabled true} {name DefaultAuditSpecification_2} {event {}} {outcome FAILURE} {_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1173199825609} {_Websphere_Config_Data_Type AuditSpecification} {filterRef AuditSpecification_1173199825609}} {{enabled true} {name DefaultAuditSpecification_3} {event SECURITY_RESOURCE_ACCESS} {outcome FAILURE} {_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1173199825610} {_Websphere_Config_Data_Type AuditSpecification} {filterRef AuditSpecification_1173199825610}} {{enabled true} {name DefaultAuditSpecification_4} {event SECURITY_AUTHN_TERMINATE} {outcome FAILURE} {_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1173199825611} {_Websphere_Config_Data_Type AuditSpecification} {filterRef AuditSpecification_1173199825611}} {{enabled true} {name myfilter} {event SECURITY_AUTHZ} {outcome REDIRECT} {_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1184365235250} {_Websphere_Config_Data_Type AuditSpecification} {filterRef AuditSpecification_1184365235250}} {{enabled true} {name myfilter1} {event SECURITY_AUTHZ SECURITY_RESOURCE_ACCESS} {outcome REDIRECT INFO} {_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1184365353218} {_Websphere_Config_Data_Type AuditSpecification} {filterRef AuditSpecification_1184365353218}} {{enabled true} {name myfilter} {event SECURITY_AUTHN SECURITY_AUTHZ} {outcome SUCCESS INFO} {_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1184598886859} {_Websphere_Config_Data_Type AuditSpecification} {filterRef AuditSpecification_1184598886859}} {{enabled false} {name myfilter} {event SECURITY_MGMT_PROVISIONING SECURITY_MGMT_POLICY} {outcome SUCCESS} {_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1184689433421} {_Websphere_Config_Data_Type AuditSpecification} {filterRef AuditSpecification_1184689433421}}
Batch mode example usage
AdminTask.listAuditFilters()
AdminTask.listAuditFilters()
Interactive mode example usage
AdminTask.listAuditFilters('-interactive')
The listAuditFiltersByEvent command retrieves a list of events and event outcomes for each audit filter that is configured in the audit.xml file.
The user must have the monitor administrative role to run this command.
Target object
None.
Return value
{AuditSpecification_1173199825608 SECURITY_AUTHN:FAILURE}{AuditSpecification_117 3199825608 SECURITY_AUTHN_MAPPING:FAILURE}{AuditSpecification_1173199825610 SECU RITY_RESOURCE_ACCESS:FAILURE}{AuditSpecification_1173199825611 SECURITY_AUTHN_TE RMINATE:FAILURE}{AuditSpecification_1184365235250 SECURITY_AUTHZ:REDIRECT}{Audit Specification_1184365353218 SECURITY_AUTHZ:REDIRECT;SECURITY_AUTHZ:INFO}{AuditSp ecification_1184365353218 SECURITY_RESOURCE_ACCESS:REDIRECT;SECURITY_RESOURCE_AC CESS:INFO}{AuditSpecification_1184598886859 SECURITY_AUTHN:SUCCESS;SECURITY_AUTH N:INFO}{AuditSpecification_1184598886859 SECURITY_AUTHZ:SUCCESS;SECURITY_AUTHZ:I NFO}{AuditSpecification_1184689433421 SECURITY_MGMT_PROVISIONING:SUCCESS}{AuditS pecification_1184689433421 SECURITY_MGMT_POLICY:SUCCESS}
Batch mode example usage
AdminTask.listAuditFiltersByEvent()
AdminTask.listAuditFiltersByEvent()
Interactive mode example usage
AdminTask.listAuditFiltersByEvent('-interactive')
The listAuditFiltersByRef command lists all reference ids that correspond to the audit filters that are defined in the audit.xml file.
The user must have the monitor administrative role to run this command.
Target object
None.
Return value
AuditSpecification_1173199825608 AuditSpecification_1173199825609 AuditSpecification_1173199825610 AuditSpecification_1173199825611 AuditSpecification_1184365235250 AuditSpecification_1184365353218 AuditSpecification_1184598886859 AuditSpecification_1184689433421
Batch mode example usage
AdminTask.listAuditFiltersByRef()
AdminTask.listAuditFiltersByRef()
Interactive mode example usage
AdminTask.listAuditFiltersByRef('-interactive')
The modifyAuditFilter command modifies the audit filter specification in the audit.xml configuration file.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Optional parameters
Return value
The command returns a value of true if the system successfully updates the audit filter.
Batch mode example usage
AdminTask.modifyAuditFilter('-filterRef AuditSpecification_1173199825608 -name
myname -eventType SECURITY_AUTHN -outcome SUCCESS -enableFilter true')
AdminTask.modifyAuditFilter(['-filterRef', 'AuditSpecification_1173199825608', '-name',
'myname', '-eventType', 'SECURITY_AUTHN', '-outcome', 'SUCCESS', '-enableFilter',
'true'])
Interactive mode example usage
AdminTask.modifyAuditFilter('-interactive')